> A DNS based man in the middle attack will not work against a SSL> enabled webserver. This is because SSL certificates certify an> association between a specific domain name and an ip address. An> attempted man in the middle attack against a SSL enabled Firefox> update server will result in the browser rejecting the connection to> the masquerading update server, as the ip address in the SSL> certificate, and the ip address returned by the DNS server will not> match.

False. SSL certificates do not authenticate DNS/IP associations. They
authenticate public key/DNS associations. The difference is likely
irrelevant to this issue, but be sure you understand SSL's PKI when you
explain such things, lest you confuse crypto noobs.